Cyber Insurance – check the fine print

Why should my business have an Independent Security Review

When we provide Independent Security Reviews for clients, the first thing we do is sit down with them to understand their business, what type of information they hold, where they store it, what type of financial processes they have, and how they interact with their clients.

We use this information to perform a threat modelling exercise, where we think about how a criminal could attack the business, what effort would be required, and what the return would be.

The result is a list of threats, based on real-world data (what attacks are actually happening to other companies) and on their relevance to the client (do they have information, systems and processes that are vulnerable to this type of attack).

The Threat Model

The threat model determines where we test and probe, and where we ask further questions, both of the client and of their IT company. And we use it when we look at how ready the client is to respond to a successful attack, and whether they could limit the damage caused.

For many clients the only response plan they have in place is a cyber insurance policy. There is more that a company should do in terms of planning for a cyber security incident, and we provide recommendations in that area.

Issues with policies

We review the cyber insurance policy against the threat model, to see if the client is really getting the protection they think they are. And we find in the majority of instances that they are not, and that their cyber insurance policy excludes a major risk that they think would be covered.

This omission included those policies that only covered malware that was specifically written for the client (unless you are Sony this is unlikely to happen), and ones that only cover online fraud if the criminal has hacked into the client’s system and made the bank transfer themselves. But in fact the majority of online fraud happens as a result of criminals persuading staff to pay funds to the wrong bank account.

What should I do next

If you’d like to understand what your real risks are, how to minimise them, and how to limit the damage of a cyber security incident, then please get in touch.